Home of the Space Needle, Pike Place Market, Amazon, and Starbucks, Seattle attracted risk managers and cyber security professionals from across the country to the 2018 RIMS Cyber Risk Forum. This two-day event in the beginning of October was filled with educational sessions ranging from the initial impact of the GDPR to ideas on how to overcome pushback when implementing cyber risk management tactics. Just as exciting as the sessions was the opportunity to network with risk managers at some major and well-known businesses.
One session I found interesting was “Why Companies Fail During a Cyber-Attack,” presented by Steve Wertheim, President at SonMax Consultants, Inc. After sharing some key statistics on the current and future state of cyber risks, such as the fact that a ransomware attack occurs every 14 seconds in the U.S. and that by 2021, cybercrime is expected to cost $6 trillion worldwide, Wertheim discussed the weaknesses of current cyber risk management plans across all businesses.
In his presentation, Wertheim shared some key reasons why companies have issues when it comes to cyber risks, including the lack of buy-in and focus from the business and lack of incident response plans, as well as the need to update and test incident response plans regularly. Often times, a business may buy insurance to transfer the cyber liability risk, or believe they have an undefeatable team of IT experts and cannot be hacked. The truth is that neither of these strategies is adequate on its own.
Cyber risk management is about having full focus from the entire business and utilizing multiple tools to reduce the probably of becoming the next front-page article. The ideal situation consists of having a team of experts, cyber insurance that covers what a business needs, a current and robust incident response plan, potentially utilizing ethical hackers, corporate-wide training, education on cyber risks, and more. For example, even if a company had the best tools to prevent breaches, there is no tool that will prevent human error from opening an access point to cyber criminals, which makes training and education of cyber risk just as important. Total buy-in across the company is critical for sustainability and long-term success in the 21st century as attempts at cyber-attacks will likely be a constant threat.
Additionally, Wertheim stressed it’s important not only having an incident response plan, but making sure to test it and that it’s robust (such as not having just one point of contact for any step). Any contingency plan that isn’t tested or cannot be utilized during a time it’s needed is just as bad as not having one at all.
Also, it’s beneficial to have all necessary external response services connected to the business in case a cyber-hack occurs. Being proactive rather than reactive has significant cost savings in regards to the data breach response service cost. As it’s important to mitigate the severity of cyber breaches, the complete risk management package includes multiple tools, training, and communication. These services might be the difference between bankruptcy and sustainable success long-term, because hackers will never cease to exist.